Mandriva Linux Security Advisory : nss (MDVSA-2013:301)
High Nessus Plugin ID 71608
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionA vulnerability has been discovered and corrected in mozilla NSS :
Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozillas root store, was loaded into a man-in-the-middle (MITM) traffic management device. This certificate was issued by Agence nationale de la scurit des systmes d'information (ANSSI), an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control.
The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device.
The NSS packages has been upgraded to the 22.214.171.124 version which is unaffected by this security flaw.
Additionally the rootcerts packages has been upgraded with the latest certdata.txt file as of 2013/12/04 from mozilla.
SolutionUpdate the affected packages.